月曜日, 10月 10, 2011

The sample was found in the URL attached in the emails and some online forums in Japan which was stated as a suspicous software. There are doubt about goodware vs malware regarding to this matter. Since some Antivirus detect this software as the hacktools. Upon requested I analyze the sample which the following report which can explain why so many antivirus detected this as malware.

These are the Winsock Packet Editor (WPE Pro 0.9a) Pro, is a packet sniffing/editing tool which is generally used to hack multiplayer games. The maker homepage is http://www.wpepro.net , this software is not a new issue, but still becoming subject for some game players as an exchange info so we found these in the internet until now. Originally was developed in English Windows environment but the sample I saw showing me that it has the Japanese language mod too. It looks like antivirus scanning function in some honeypot detection has triggering some alerts.

WPE Pro can be used for the bad purpose to hack softwares in a Windows PC by sniffing packet info's which goes to the Winsock or inject the information through it, or, it can be also used for the good purpose as the Penetration Test tools and other security purpose. The maker stated in the homepage of products that the program is clean from any malicious code, however he admitted there are many antivirus products detect this as malware and block its operation.

The detected sample (is a zip WE PRO) package contains 2 binary files, one exe (WPE PRO.exe) and another is a runtime library file (WpeSpy.dll), we cannot execute "WPE PRO.exe" file without WpeSpy.dll, and the other .spt file is the configuration setup files. WPE PRO.exe without WpeSpy.dll (vise versa) will be useless.

I'll make it clear, WE PRO is a software to sniff and/or to inject packet/data/info of another software in Windows OS, shortly, is a hack tool. Depends on the usage of this software, can be used for some malicious acts, like demonstrated at the below youtube video, or for the research purpose (good ones).

Why WPE PRO is judged as "not a virus"? Why some antivirus block this software? Is it WPE really a malware? Are the questions found in the internet now, since the refence of this software is so few I would like to analyze in malware-analysis-like and explain the software itself as per below:

Behaviour Analysis:

The program itself runs nicely, it starts and ends under the user's control and not making any backdoors unless (we define it to). If you runs it it will show the GUI like below (in Japanese environment)

In order to use this software you must select one of the process in your PC to hack, I tested in my VMware and took the below screenshot images of it:

You can save the packet data too:

*)For the Demo of malicious usage of this software see the "reference section" below.

Code Analysis:

Below is the some analysis dumps of the WPESPY.DLL & WE PRO.EXE which by the security point of view shows some malicious acts like disabling the DEP, accessing and intercepting other processes, etc..(sorry I am not going into the details about it). Yes, a person can use this software to hack, and by my point of view this software was developed for this purpose. Please see the sump data below then please see the youtube demo in theh reference section.